Fix #121 Only apply throttling to redeemed tokens

2026-01-17 10:08:05 +00:00 · 2023-09-11 09:35:11 +00:00 · 2023-09-11 09:35:11 +00:00 · a2e8d27b49
commit a2e8d27b49
parent 1debbc5f10
2 changed files with 16 additions and 7 deletions
--- a/flexiapi/app/Http/Controllers/Api/Account/CreationTokenController.php
+++ b/flexiapi/app/Http/Controllers/Api/Account/CreationTokenController.php
@ -42,13 +42,15 @@ class CreationTokenController extends Controller
        ]);

        $last = AccountCreationToken::where('pn_provider', $request->get('pn_provider'))
-            ->where('pn_paparam', $request->get('pn_param'))
+            ->where('pn_param', $request->get('pn_param'))
            ->where('pn_prid', $request->get('pn_prid'))
            ->where('created_at', '>=', Carbon::now()->subMinutes(config('app.account_creation_token_retry_minutes'))->toDateTimeString())
+            ->where('used', true)
            ->latest()
            ->first();

        if ($last) {
+            Log::channel('events')->info('API: Token throttled', ['token' => $last->token]);
            abort(429, 'Last token requested too recently');
        }

--- a/flexiapi/tests/Feature/ApiAccountCreationTokenTest.php
+++ b/flexiapi/tests/Feature/ApiAccountCreationTokenTest.php
@ -64,9 +64,13 @@ class ApiAccountCreationTokenTest extends TestCase
        ])->assertStatus(422);
    }

-    public function testExpiration()
+    public function testThrottling()
    {
-        $existing = AccountCreationToken::factory()->create();
+        AccountCreationToken::factory()->create([
+            'pn_provider' => $this->pnProvider,
+            'pn_param' => $this->pnParam,
+            'pn_prid' => $this->pnPrid,
+        ]);

        $this->json($this->method, $this->tokenRoute, [
            'pn_provider' => $this->pnProvider,
@ -74,11 +78,14 @@ class ApiAccountCreationTokenTest extends TestCase
            'pn_prid' => $this->pnPrid,
        ])->assertStatus(503);

+        // Redeem all the tokens
+        AccountCreationToken::where('used', false)->update(['used' => true]);
+
        $this->json($this->method, $this->tokenRoute, [
-            'pn_provider' => $existing->pnProvider,
-            'pn_param' => $existing->pnParam,
-            'pn_prid' => $existing->pnPrid,
-        ])->assertStatus(422);
+            'pn_provider' => $this->pnProvider,
+            'pn_param' => $this->pnParam,
+            'pn_prid' => $this->pnPrid,
+        ])->assertStatus(429);
    }

    public function testAdminEndpoint()